B Disabling and Enabling Oracle Database Vault

Periodically you must disable and then re-enable Oracle Database Vault, for activities such as installing Oracle Database optional products or features. When Oracle Database Vault is disabled, there are some Database Vault features that you can still use.

Topics:

Note:

Oracle does not support the deinstallation of Oracle Database Vault.

When You Must Disable Oracle Database Vault

You may need to disable Oracle Database Vault to perform upgrade tasks or correct erroneous configurations. You can reenable Oracle Database Vault after you complete the corrective tasks.

Note:

Be aware that if you disable Oracle Database Vault, the privileges that were revoked from existing users and roles during installation remain in effect. See "Privileges That Are Revoked from Existing Users and Roles" for a listing of the revoked privileges.

The following situations require you to disable Oracle Database Vault:

  • The Oracle Database Vault user accounts have been inadvertently locked or their passwords forgotten. Note that if your site only has one DV_OWNER user and this user has lost his or her password, you will be unable to disable Oracle Database Vault. However, if your site's only DV_ACCTMGR user has lost the password, you can disable Database Vault. As a best practice, you should grant the DV_OWNER and DV_ACCTMGR roles to new or existing user accounts, and use the Database Vault Owner and Account Manager accounts that you created when you registered Database Vault as back-up accounts. (See the tip under "Oracle Database Vault Accounts" for a guideline for avoiding this problem in the future.)

  • You must install any of the Oracle Database optional products or features, such as Oracle Spatial, or Oracle Multimedia, by using Database Configuration Assistant (DBCA).

Checking if Oracle Database Vault Is Enabled or Disabled

You can check if Oracle Database Vault is enabled or disabled by querying the V$OPTION data dictionary view. Any user can query this view.

If Oracle Database Vault is enabled, the query returns TRUE. Otherwise, it returns FALSE.

Remember that the PARAMETER column value is case sensitive. For example:

SELECT PARAMETER, VALUE FROM V$OPTION WHERE PARAMETER = 'Oracle Database Vault';

If Oracle Database Vault is enabled, the following output appears:

PARAMETER                     VALUE
----------------------------- -----------------------
Oracle Database Vault         TRUE

Step 1: Disable Oracle Database Vault

Be aware that after you disable Oracle Database Vault, Oracle Label Security, which is required to run Database Vault, is still enabled.

  1. In SQL*Plus, log in as the Oracle Database Owner (DV_OWNER) account, and then disable Oracle Database Vault.

    sqlplus psmith
    Enter password: password
    
    EXEC DBMS_MACADM.DISABLE_DV;
    
  2. In a multitenant environment, connect to the appropriate pluggable database (PDB).

    For example:

    CONNECT psmith@hrpdb
    Enter password: password
    

    To find the available PDBs, query the DBA_PDBS data dictionary view. To check the current PDB, run the show con_name command.

  3. Restart the database.

    CONNECT SYS AS SYSOPER -- Or, CONNECT SYS@hrpdb AS SYSOPER
    Enter password: password
    
    SHUTDOWN IMMEDIATE
    STARTUP
    
  4. For Oracle RAC installations, repeat these steps for each node on which the database is installed.

Step 2: Perform the Required Tasks

At this stage, Oracle Database Vault is disabled.

You can perform the following types of activities:

  • Use the Oracle Database Vault PL/SQL packages and functions. For example, to correct a login or CONNECT rule set error, use the DBMS_MACADM PL/SQL package or the Oracle Database Vault pages in Enterprise Manager Cloud Control. Note that a CONNECT command rule cannot prevent a user who has the DV_OWNER or DV_ADMIN role from connecting to the database. This enables a Database Vault administrator to correct a misconfigured protection without having to disable Database Vault.

  • Use the SYSTEM or SYS accounts to perform tasks such as creating or changing passwords, or locking and unlocking accounts. In addition to modifying standard database and administrative user accounts, you can modify passwords and the lock status of any of the Oracle Database Vault-specific accounts, such as users who have been granted the DV_ADMIN or DV_ACCTMGR roles. (See the tip under "Oracle Database Vault Accounts" for a guideline for avoiding this problem in the future.)

  • Perform the installation or other tasks that require security protections to be disabled.

Step 3: Enable Oracle Database Vault

You can enable Oracle Database Vault and Oracle Label Security from SQL*Plus.

  1. In SQL*Plus, connect as the Oracle Database Owner (DV_OWNER) account, and then enable Oracle Database Vault.

    CONNECT psmith -- Or, CONNECT psmith@hrpdb for a PDB
    Enter password: password
    
    EXEC DBMS_MACADM.ENABLE_DV;
    
  2. Check if Oracle Label Security is enabled.

    SELECT VALUE FROM V$OPTION WHERE PARAMETER = 'Oracle Label Security';
    

    Oracle Label security must be enabled before you can use Database Vault. If it is not enabled, then this query returns FALSE.

  3. If Oracle Label Security is not enabled, then enable it.

    CONNECT SYS AS SYSDBA -- Or, CONNECT SYS@hrpdb AS SYSDBA
    Enter password: password
    
    EXEC LBACSYS.CONFIGURE_OLS;
    EXEC LBACSYS.OLS_ENFORCEMENT.ENABLE_OLS;
    
  4. Restart the database.

    CONNECT SYS AS SYSOPER -- Or, CONNECT SYS@hrpdb AS SYSOPER
    Enter password: password
    
    SHUTDOWN IMMEDIATE
    STARTUP
    
  5. For Oracle RAC installations, repeat these steps for each node on which the database is installed.